Skip to Content
0

HCP Problem with secondary Identity Provider and ?saml2idp= URL parameter

Oct 11, 2016 at 12:54 AM

679

avatar image
Former Member

Hello,

I have a problem with ?saml2idp= URL parameter in my application deployed in HCP. I have two Identity Providers set up in the HCP configuration. The user authentication against default IdP works fine.

Unfortunately, when I add '?saml2idp=secondary.example.com' parameter to an URL of my application to use secondary IdP, user is redirected to http://secondary.example.com to authenticate, then he is redirected back to HCP and gets an HTTP 401 Unauthorized error.

The same error message is returned for all applications deployed in the HCP account when using ?saml2idp= parameter. Both of the Identity Providers are configured the same way.

Does anyone use multiple Identity Providers in HCP? Do you know where is the problem and how to fix it? In the application logs I can see problems with SAML signature (below), but the SAML2 response contains proper user data.

Thank you for any help,

Adam

Problems with SAML signature in the app logs:

  • 2016 10 06 17:48:48#+00#ERROR#com.sap.security.saml2.sp.sso.AssertionValidationService##anonymous#http-nio-8041-exec-1#na#acc#app#web#acc#Signature validation of SAML2Assertion failed.com.sap.security.saml2.lib.common.SAML2Exception: Signature not valid!
  • 2016 10 06 17:48:48#+00#ERROR#com.sap.core.jpaas.security.saml2.sp.loginmodule.SAML2JPaaSLoginModule##anonymous#http-nio-8041-exec-1#na#acc#app#web#acc#Failed to process SAML messagecom.sap.security.saml2.sp.sso.exception.BadCredentialsException: Signature validation of SAML2Assertion failed. at com.sap.security.saml2.sp.sso.LoginResult.throwBadCredentialException(LoginResult.java:274)
10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Best Answer
Sven Kohlhaas
Oct 11, 2016 at 02:13 PM
1

Hi Adam,

please have a look here https://open.sap.com/courses/hcp2/items/2nYQJPRGZdIg35e0XHtfLj into our Unit 4: Working with Multiple Identity Providers. Perhaps what we explain there will help you.

All the best,

Sven

Share
10 |10000 characters needed characters left characters exceeded
avatar image
Former Member Oct 17, 2016 at 05:33 PM
1

Thanks Sven,

I solved the problem. Both Identity Providers (test and production) announce themselves in the XML metadata file with the same entityID. It confuses HCP authentication mechanism, because it doesn't know what was the source of the SAML response. It tries to validate the response against the default Identity Provider, but the message signature is wrong. As a result an exception is thrown and an error message is displayed.

Adam

Share
10 |10000 characters needed characters left characters exceeded